Coordinating the Disclosure of Security Vulnerabilities in Canada
Total Page:16
File Type:pdf, Size:1020Kb
See Something, Say Something Coordinating the Disclosure of Security Vulnerabilities in Canada June 2021 Yuan Stevens | Stephanie Tran | Ryan Atkinson | Sam Andrey Cybersecure Policy Exchange The Cybersecure Policy Exchange (CPX) is an initiative dedicated to advancing effective and innovative public policy in cybersecurity and digital privacy, powered by RBC through Rogers Cybersecure Catalyst and the Ryerson Leadership Lab. Our goal is to broaden and deepen the debate and discussion of cybersecurity and digital privacy policy in Canada, and to create and advance innovative policy responses, from idea generation to implementation. This initiative is sponsored by the Royal Bank of Canada; we are committed to publishing independent and objective findings and ensuring transparency by declaring the sponsors of our work. Rogers Cybersecure Catalyst Rogers Cybersecure Catalyst is Ryerson University’s national centre for innovation and collaboration in cybersecurity. The Catalyst works closely with the private and public sectors and academic institutions to help Canadians and Canadian businesses tackle the challenges and seize the opportunities of cybersecurity. Based in Brampton, the Catalyst delivers training; commercial acceleration programming; support for applied R&D; and public education and policy development, all in cybersecurity. Ryerson Leadership Lab The Ryerson Leadership Lab is an action-oriented think tank at Ryerson University dedicated to developing new leaders and solutions to today’s most pressing civic challenges. Through public policy activation and leadership development, the Leadership Lab’s mission is to build a new generation of skilled and adaptive leaders committed to a more trustworthy, inclusive society. This project is sponsored by the Department of National Defence’s Mobilizing Insights in Defence and Security program. How to Cite this Report Stevens, Y., Tran, S., Atkinson, R., Andrey, S. (2021, June). See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada. Retrieved from https://www.cybersecurepolicy.ca/vulnerability-disclosure. © 2021, Ryerson University 350 Victoria St, Toronto, ON M5B 2K3 ISBN : 978-1-77417-027-4 This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. You are free to share, copy and redistribute this material provided you: give appropriate credit; do not use the material for commercial purposes; do not apply legal terms or technological measures that legally restrict others from doing anything the license permits; and if you remix, transform, or build upon the material, you must distribute your contributions under the same licence, indicate if changes were made, and not suggest the licensor endorses you or your use. Contributors Sam Andrey, Director of Policy & Research, Ryerson Leadership Lab Ryan Atkinson, Policy Consultant, Cybersecure Policy Exchange Karim Bardeesy, Executive Director, Ryerson Leadership Lab Sumit Bhatia, Director of Innovation and Policy, Rogers Cybersecure Catalyst Zaynab Choudhry, Design Lead Charles Finlay, Executive Director, Rogers Cybersecure Catalyst Braelyn Guppy, Marketing and Communications Lead, Ryerson Leadership Lab Sharan Khela, Research and Policy Intern, Cybersecure Policy Exchange Mohammed (Joe) Masoodi, Policy Analyst, Cybersecure Policy Exchange Stephanie Tran, Research and Policy Assistant, Cybersecure Policy Exchange Yuan Stevens, Policy Lead, Cybersecure Policy Exchange Our work is guided by these core principles: • Responsible technology governance is a key to Canadians’ cybersecurity and digital privacy. • Complex technology challenges call for original insights and innovative policy solutions. • Canadians’ opinions matter, and must inform every discussion of technology policy. • Cybersecurity needs to be explained and made relevant to Canadians, and cannot be relegated to language and concepts accessible only to experts. • Canadian institutions matter, and must evolve to meet new cybersecurity and digital privacy risks to maintain the public trust. • Harms, inequities and injustices arising from the unequal use or application of technology must be confronted, wherever they exist or could arise. For more information, visit: https://www.cybersecurepolicy.ca/ @cyberpolicyx @cyberpolicyx Cybersecure Policy Exchange Executive Summary Ill-intentioned actors are rapidly developing the harm. Absent this framework, discovering technological means to exploit vulnerabilities and disclosing vulnerabilities may result in in the web assets, software, hardware, and a security researcher facing liability under networked infrastructure of governments the Criminal Code, as well as potentially the around the world. Numerous jurisdictions have Copyright Act, if exemptions do not apply. adopted the policy approach of facilitating Whistleblower legislation in Canada generally coordinated vulnerability disclosure (CVD) as would also not apply to vulnerability disclosure one means to better secure the public sector’s except in very limited, specific instances. systems, through which external security researchers are provided a predictable and Further, Canada’s Centre for Cyber Security cooperative process to disclose security flaws — and its parent agency the Communications for patching before they are exploited. Canada Security Establishment — currently have is falling behind its peers and allies in adopting practices and policies that may discourage such an approach. people from disclosing vulnerabilities and, on top of this, are also opaque about how such A global scan of vulnerability disclosure policy vulnerabilities are handled. approaches indicates that 60 percent of G20 member countries provide distinct and The cumulative effect of this approach in clear disclosure processes for vulnerabilities Canada means that there is no straightforward involving government systems, with many or transparent path for a person wishing to providing clarity regarding the disclosure responsibly disclose a security vulnerability process and expectations for security found in the computer systems used by the researchers regarding communication and Government of Canada — resulting in possible acceptable activity. The Netherlands and non-disclosure, public disclosure before the US are particularly leading the way remediation, or otherwise enabling the use of when it comes to providing comprehensive security vulnerabilities by attackers in ways policy and pragmatic solutions for external that could jeopardize the security of Canada’s vulnerability disclosure, acting as a learning computer systems and the people that they model for Canada. Both countries have also serve. begun to provide explicit legal clarification regarding acceptable security research activity, particularly in the context of coordinated vulnerability disclosure. In Canada, there exists no legal or policy framework regarding security research and vulnerability disclosure done in good faith; that is, done with the intent and in such a way to repair the vulnerability while causing minimal See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 4 In light of these findings, we advocate for the following three policy solutions in Canada to remedy these gaps: 1. Canada needs a policy framework for good faith vulnerability discovery and disclosure; 2. Canada should carefully implement coordinated vulnerability disclosure procedures for the federal government’s computer systems, and draw on emerging best practices as it does so; and 3. Vulnerabilities disclosed to the government from external actors should be kept separate from the government’s handling of vulnerabilities uncovered internally in the course of Canada’s defensive and offensive intelligence efforts. See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada 5 INTRODUCTION The Need for Coordinated Vulnerability Disclosure 01 The Need for Coordinated corporate intellectual property rights, human Vulnerability Disclosure rights such as freedom of expression, and the motivation and impact of security research and 9 In 2008, the Dutch court faced a difficult hacking activity. decision. Academic researchers at Radboud University decided to examine the security of The court rendered its decision in July 2008. a smart card, which was being rolled out on a In short, the court rejected NXP’s request to mass scale for use across the country’s transit suppress the information largely on the basis 10 system.1 The contactless card reader used the of copyright law and freedom of expression. It MIFARE Classic chip by Dutch manufacturer held that the chip’s algorithm, a mathematical NXP. The chip was already in use for major formula, was not a copyrighted work and had transit systems, including London,2 Hong Kong never been made public. The court also found and Boston,3 and for government buildings that the researchers lacked the element of in the Netherlands and elsewhere.4 In their intention needed for criminal liability, given work, the security researchers discovered that that their work “sought only to raise the issue the chip’s encryption algorithm was using a of social wrongdoing and promote scientific 11 random number generator to protect the card’s research on encryption.” memory that was not, in fact, random at all.5 The result was that the research team was More than this, the court concluded that able to access the chip’s encryption protocol, the risk of misuse of the chip emanated